Skip to content

Latest commit

 

History

History
64 lines (53 loc) · 6.08 KB

threat-modeling.md

File metadata and controls

64 lines (53 loc) · 6.08 KB

Threat Model Analysis for go-sql-driver/mysql

Threat: SQL Injection

  • Description: An attacker crafts malicious input that, when incorporated into a SQL query without proper sanitization (via string concatenation instead of parameterized queries), alters the query's intended logic. The attacker can inject additional SQL commands to read, modify, or delete data, potentially gaining complete control of the database or even executing OS commands if database user privileges allow.
  • Impact:
    • Data breach (unauthorized access to sensitive data).
    • Data modification (corruption or deletion of data).
    • Database takeover (complete control of the database server).
    • Potential system compromise (if the database user has OS command execution privileges).
  • MySQL Component Affected: The MySQL server's SQL parser and execution engine. The vulnerability is enabled by misuse of the go-sql-driver/mysql library – specifically, not using parameterized queries with functions like db.Query(), db.Exec(), etc., when handling user-supplied input.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Primary: Always use parameterized queries (prepared statements) with db.Prepare(), stmt.Exec(), and stmt.Query(). Use the ? placeholder for all user-supplied data. Never concatenate user input directly into SQL strings. This is the only reliable defense against SQL injection.
    • Secondary: Validate and sanitize input data as a defense-in-depth measure (check data types, lengths, allowed characters). This is not a substitute for parameterized queries.
    • Tertiary: Consider using an ORM that handles parameterized queries, but carefully review its security.

Threat: Man-in-the-Middle (MitM) Attack

  • Description: An attacker intercepts the network traffic between the Go application (using go-sql-driver/mysql) and the MySQL server. Without proper TLS encryption and certificate verification, the attacker can eavesdrop on the communication (stealing credentials or data) or modify data in transit.
  • Impact:
    • Credential theft (database username and password).
    • Data breach (exposure of sensitive data).
    • Data tampering (modification of data in transit).
  • MySQL Component Affected: The network connection between the go-sql-driver/mysql client and the MySQL server. The RegisterTLSConfig function and the tls parameter in the DSN are directly involved.
  • Risk Severity: High
  • Mitigation Strategies:
    • Primary: Always use TLS/SSL encryption (tls=true or a custom TLS configuration in the DSN).
    • Secondary: Verify the server's certificate properly. Avoid tls=skip-verify in production. Use a specific CA certificate if possible (tls=custom and configure the tls.Config).
    • Tertiary: Use a VPN or other secure network tunnel.

Threat: Connection Pool Exhaustion

  • Description: The application fails to properly close database connections (or statements/result sets), leading to the exhaustion of the connection pool. New connection requests are blocked, causing a denial of service. Long-running queries holding connections open can also contribute.
  • Impact: Denial of service (the application cannot connect to the database).
  • MySQL Component Affected: The go-sql-driver/mysql connection pool management (functions like db.SetMaxOpenConns(), db.SetMaxIdleConns(), db.SetConnMaxLifetime(), and the Close() methods on DB, Conn, Stmt, and Rows). The MySQL server's connection limit is also a factor.
  • Risk Severity: High
  • Mitigation Strategies:
    • Primary: Always close database connections, statements, and result sets when no longer needed. Use defer to ensure this happens even on errors: defer rows.Close(), defer stmt.Close(), defer db.Close().
    • Secondary: Set appropriate connection pool limits: db.SetMaxOpenConns(), db.SetMaxIdleConns(), db.SetConnMaxLifetime(). Tune these based on application needs and server capacity.
    • Tertiary: Implement timeouts for database operations using context.WithTimeout().

Threat: Insecure Connection String Storage

  • Description: The database connection string (DSN), containing sensitive credentials (username, password, hostname), is stored insecurely (hardcoded, unencrypted config file, exposed environment variables).
  • Impact: Credential theft (attacker gains database access).
  • MySQL Component Affected: The application's configuration and deployment. The DSN parsing in go-sql-driver/mysql is indirectly involved.
  • Risk Severity: High
  • Mitigation Strategies:
    • Primary: Store the DSN securely using a secrets management system (HashiCorp Vault, AWS Secrets Manager, etc.).
    • Secondary: Use environment variables, but protect them rigorously.
    • Tertiary: Encrypt configuration files. Never hardcode the DSN in source code.

Threat: Excessive Database User Privileges

  • Description: The database user account used by the application has more privileges than the minimum required. If compromised, the attacker has greater impact.
  • Impact: Increased impact of other vulnerabilities (e.g., SQL injection is more dangerous with a user that has DROP TABLE privileges).
  • MySQL Component Affected: The MySQL server's user and privilege management system. Not directly go-sql-driver/mysql, but a critical database security aspect.
  • Risk Severity: High
  • Mitigation Strategies:
    • Primary: Follow the principle of least privilege. Grant only the necessary permissions (e.g., SELECT, INSERT, UPDATE, DELETE on specific tables/columns).
    • Secondary: Avoid using root or administrative users for the application.
    • Tertiary: Regularly review and audit database user privileges.